* [PATCH] filter: add path filter with fstype
@ 2017-04-04 10:40 Richard Guy Briggs
2017-06-13 0:28 ` Steve Grubb
0 siblings, 1 reply; 6+ messages in thread
From: Richard Guy Briggs @ 2017-04-04 10:40 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs
Tracefs or debugfs were causing hundreds to thousands of PATH records to
be associated with the init_module and finit_module SYSCALL records on a
few modules when the following rule was in place for startup:
-a always,exit -F arch=x86_64 -S init_module -F key=mod-load
Add the new "path" filter list anchored in __audit_inode_child() to
filter out PATH records from uninteresting filesystem types, "fstype",
keying on their kernel hexadecimal 4-octet magic identifier.
An example rule would look like:
-a never,path -F fstype=0x74726163 -F key=ignore_tracefs
-a never,path -F fstype=0x64626720 -F key=ignore_debugfs
Note: "always,path" will log the PATH record anyways and add latency.
See: https://github.com/linux-audit/audit-userspace/issues/15
See: https://github.com/linux-audit/audit-kernel/issues/8
Test case: https://github.com/linux-audit/audit-testsuite/issues/42
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
docs/audit_add_rule_data.3 | 3 +++
lib/errormsg.h | 5 +++++
lib/fieldtab.h | 2 ++
lib/flagtab.h | 2 ++
lib/libaudit.c | 26 ++++++++++++++++++++++++--
lib/libaudit.h | 10 ++++++++++
lib/private.h | 1 +
src/auditctl-listing.c | 6 ++++--
src/auditctl.c | 14 +++++++++++++-
9 files changed, 64 insertions(+), 5 deletions(-)
diff --git a/docs/audit_add_rule_data.3 b/docs/audit_add_rule_data.3
index 2321f39..4867e8c 100644
--- a/docs/audit_add_rule_data.3
+++ b/docs/audit_add_rule_data.3
@@ -22,6 +22,9 @@ AUDIT_FILTER_EXIT - Apply rule at syscall exit.
.TP
\(bu
AUDIT_FILTER_TYPE - Apply rule at audit_log_start.
+.TP
+\(bu
+AUDIT_FILTER_PATH - Apply rule at __audit_inode_child.
.LP
.PP
diff --git a/lib/errormsg.h b/lib/errormsg.h
index 50c7d50..2a6e4d6 100644
--- a/lib/errormsg.h
+++ b/lib/errormsg.h
@@ -20,6 +20,7 @@
* Authors:
* Zhang Xiliang <zhangxiliang@cn.fujitsu.com>
* Steve Grubb <sgrubb@redhat.com>
+ * Richard Guy Briggs <rgb@redhat.com>
*/
struct msg_tab {
@@ -70,6 +71,8 @@ static const struct msg_tab err_msgtab[] = {
{ -32, 0, "field data is missing" },
{ -33, 2, "-C field incompatible" },
{ -34, 2, "-C value incompatible" },
+ { -35, 1, "field is not valid for the filter" },
+ { -36, 1, "filter is not supported ty kernel" },
};
#define EAU_OPMISSING 1
#define EAU_FIELDUNKNOWN 2
@@ -103,4 +106,6 @@ static const struct msg_tab err_msgtab[] = {
#define EAU_DATAMISSING 32
#define EAU_COMPFIELDINCOMPAT 33
#define EAU_COMPVALINCOMPAT 34
+#define EAU_FIELDUNAVAIL 35
+#define EAU_FILTERNOSUPPORT 36
#endif
diff --git a/lib/fieldtab.h b/lib/fieldtab.h
index 0c5e39d..c425d5b 100644
--- a/lib/fieldtab.h
+++ b/lib/fieldtab.h
@@ -18,6 +18,7 @@
*
* Authors:
* Steve Grubb <sgrubb@redhat.com>
+ * Richard Guy Briggs <rgb@redhat.com>
*/
_S(AUDIT_PID, "pid" )
@@ -56,6 +57,7 @@ _S(AUDIT_WATCH, "path" )
_S(AUDIT_PERM, "perm" )
_S(AUDIT_DIR, "dir" )
_S(AUDIT_FILETYPE, "filetype" )
+_S(AUDIT_FSTYPE, "fstype" )
_S(AUDIT_OBJ_UID, "obj_uid" )
_S(AUDIT_OBJ_GID, "obj_gid" )
_S(AUDIT_FIELD_COMPARE, "field_compare" )
diff --git a/lib/flagtab.h b/lib/flagtab.h
index 4b04692..ed3e729 100644
--- a/lib/flagtab.h
+++ b/lib/flagtab.h
@@ -18,8 +18,10 @@
*
* Authors:
* Steve Grubb <sgrubb@redhat.com>
+ * Richard Guy Briggs <rgb@redhat.com>
*/
_S(AUDIT_FILTER_TASK, "task" )
_S(AUDIT_FILTER_EXIT, "exit" )
_S(AUDIT_FILTER_USER, "user" )
_S(AUDIT_FILTER_EXCLUDE, "exclude" )
+_S(AUDIT_FILTER_PATH, "path" )
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 028483d..f28238a 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -19,6 +19,7 @@
* Authors:
* Steve Grubb <sgrubb@redhat.com>
* Rickard E. (Rik) Faith <faith@redhat.com>
+ * Richard Guy Briggs <rgb@redhat.com>
*/
#include "config.h"
@@ -86,6 +87,7 @@ int _audit_archadded = 0;
int _audit_syscalladded = 0;
int _audit_exeadded = 0;
int _audit_filterexcladded = 0;
+int _audit_filterpathadded = 0;
unsigned int _audit_elf = 0U;
static struct libaudit_conf config;
@@ -1475,6 +1477,23 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
}
}
+ /* PATH filter can be used only with FSTYPE field */
+ if (flags == AUDIT_FILTER_PATH) {
+ uint32_t features = audit_get_features();
+ if ((features & AUDIT_FEATURE_BITMAP_FILTER_PATH) == 0) {
+ return -EAU_FILTERNOSUPPORT;
+ } else {
+ switch(field) {
+ case AUDIT_FSTYPE:
+ _audit_filterpathadded = 1;
+ case AUDIT_FILTERKEY:
+ break;
+ default:
+ return -EAU_FIELDUNAVAIL;
+ }
+ }
+ }
+
rule->fields[rule->field_count] = field;
rule->fieldflags[rule->field_count] = op;
switch (field)
@@ -1589,7 +1608,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
}
if (field == AUDIT_FILTERKEY &&
!(_audit_syscalladded || _audit_permadded ||
- _audit_exeadded || _audit_filterexcladded))
+ _audit_exeadded || _audit_filterexcladded ||
+ _audit_filterpathadded))
return -EAU_KEYDEP;
vlen = strlen(v);
if (field == AUDIT_FILTERKEY &&
@@ -1724,7 +1744,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
return -EAU_EXITONLY;
/* fallthrough */
default:
- if (field == AUDIT_INODE) {
+ if (field == AUDIT_INODE || field == AUDIT_FSTYPE) {
if (!(op == AUDIT_NOT_EQUAL ||
op == AUDIT_EQUAL))
return -EAU_OPEQNOTEQ;
@@ -1736,6 +1756,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
if (!isdigit((char)*(v)))
return -EAU_FIELDVALNUM;
+ if (field == AUDIT_FSTYPE && flags != AUDIT_FILTER_PATH)
+ return -EAU_FIELDUNAVAIL;
if (field == AUDIT_INODE)
rule->values[rule->field_count] =
strtoul(v, NULL, 0);
diff --git a/lib/libaudit.h b/lib/libaudit.h
index e5c7a4d..e9c4973 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -277,6 +277,9 @@ extern "C" {
#define AUDIT_KEY_SEPARATOR 0x01
/* These are used in filter control */
+#ifndef AUDIT_FILTER_PATH
+#define AUDIT_FILTER_PATH 0x06 /* PATH record filter in __audit_inode_child */
+#endif
#define AUDIT_FILTER_EXCLUDE AUDIT_FILTER_TYPE
#define AUDIT_FILTER_MASK 0x07 /* Mask to get actual filter */
#define AUDIT_FILTER_UNSET 0x80 /* This value means filter is unset */
@@ -305,6 +308,9 @@ extern "C" {
#ifndef AUDIT_FEATURE_BITMAP_LOST_RESET
#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
#endif
+#ifndef AUDIT_FEATURE_BITMAP_FILTER_PATH
+#define AUDIT_FEATURE_BITMAP_FILTER_PATH 0x00000040
+#endif
/* Defines for interfield comparison update */
#ifndef AUDIT_OBJ_UID
@@ -324,6 +330,10 @@ extern "C" {
#define AUDIT_SESSIONID 25
#endif
+#ifndef AUDIT_FSTYPE
+#define AUDIT_FSTYPE 26
+#endif
+
#ifndef AUDIT_COMPARE_UID_TO_OBJ_UID
#define AUDIT_COMPARE_UID_TO_OBJ_UID 1
#endif
diff --git a/lib/private.h b/lib/private.h
index 855187b..117d6e3 100644
--- a/lib/private.h
+++ b/lib/private.h
@@ -140,6 +140,7 @@ extern int _audit_archadded;
extern int _audit_syscalladded;
extern int _audit_exeadded;
extern int _audit_filterexcladded;
+extern int _audit_filterpathadded;
extern unsigned int _audit_elf;
#ifdef __cplusplus
diff --git a/src/auditctl-listing.c b/src/auditctl-listing.c
index 3bc8e71..e8640dd 100644
--- a/src/auditctl-listing.c
+++ b/src/auditctl-listing.c
@@ -91,7 +91,8 @@ static int is_watch(const struct audit_rule_data *r)
if (((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_USER) &&
((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK) &&
- ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_EXCLUDE)) {
+ ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_EXCLUDE) &&
+ ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_PATH)) {
for (i = 0; i < (AUDIT_BITMASK_SIZE-1); i++) {
if (r->mask[i] != (uint32_t)~0) {
all = 0;
@@ -139,7 +140,8 @@ static int print_syscall(const struct audit_rule_data *r, unsigned int *sc)
/* Rules on the following filters do not take a syscall */
if (((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_USER) ||
((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_TASK) ||
- ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE))
+ ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE) ||
+ ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_PATH))
return 0;
/* See if its all or specific syscalls */
diff --git a/src/auditctl.c b/src/auditctl.c
index c785087..c7e8f0f 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -19,6 +19,7 @@
* Authors:
* Steve Grubb <sgrubb@redhat.com>
* Rickard E. (Rik) Faith <faith@redhat.com>
+ * Richard Guy Briggs <rgb@redhat.com>
*/
#include "config.h"
@@ -75,6 +76,7 @@ static int reset_vars(void)
_audit_archadded = 0;
_audit_exeadded = 0;
_audit_filterexcladded = 0;
+ _audit_filterpathadded = 0;
_audit_elf = 0;
add = AUDIT_FILTER_UNSET;
del = AUDIT_FILTER_UNSET;
@@ -152,6 +154,8 @@ static int lookup_filter(const char *str, int *filter)
*filter = AUDIT_FILTER_EXIT;
else if (strcmp(str, "user") == 0)
*filter = AUDIT_FILTER_USER;
+ else if (strcmp(str, "path") == 0)
+ *filter = AUDIT_FILTER_PATH;
else if (strcmp(str, "exclude") == 0) {
*filter = AUDIT_FILTER_EXCLUDE;
exclude = 1;
@@ -761,6 +765,13 @@ static int setopt(int count, int lineno, char *vars[])
audit_msg(LOG_ERR,
"Error: syscall auditing being added to user list");
return -1;
+ } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+ AUDIT_FILTER_PATH || (del &
+ (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+ AUDIT_FILTER_PATH)) {
+ audit_msg(LOG_ERR,
+ "Error: syscall auditing being added to path list");
+ return -1;
} else if (exclude) {
audit_msg(LOG_ERR,
"Error: syscall auditing cannot be put on exclude list");
@@ -937,7 +948,8 @@ static int setopt(int count, int lineno, char *vars[])
break;
case 'k':
if (!(_audit_syscalladded || _audit_permadded ||
- _audit_exeadded || _audit_filterexcladded) ||
+ _audit_exeadded || _audit_filterexcladded ||
+ _audit_filterpathadded) ||
(add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) {
audit_msg(LOG_ERR,
"key option needs a watch or syscall given prior to it");
--
1.7.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [PATCH] filter: add path filter with fstype 2017-04-04 10:40 [PATCH] filter: add path filter with fstype Richard Guy Briggs @ 2017-06-13 0:28 ` Steve Grubb 2017-06-13 2:45 ` Richard Guy Briggs 0 siblings, 1 reply; 6+ messages in thread From: Steve Grubb @ 2017-06-13 0:28 UTC (permalink / raw) To: Richard Guy Briggs, Paul Moore; +Cc: linux-audit Hello, This patch needs to be refactored to match the current count of error messages in err_msgtab. What error message is emitted when run on a kernel that does not support the new filter? On Tuesday, April 4, 2017 6:40:18 AM EDT Richard Guy Briggs wrote: > Tracefs or debugfs were causing hundreds to thousands of PATH records to > be associated with the init_module and finit_module SYSCALL records on a > few modules when the following rule was in place for startup: > -a always,exit -F arch=x86_64 -S init_module -F key=mod-load > > Add the new "path" filter list anchored in __audit_inode_child() to > filter out PATH records from uninteresting filesystem types, "fstype", > keying on their kernel hexadecimal 4-octet magic identifier. > > An example rule would look like: > -a never,path -F fstype=0x74726163 -F key=ignore_tracefs > -a never,path -F fstype=0x64626720 -F key=ignore_debugfs Are we sure path is the best name for this filter? Is there something more precise like filesystem? > Note: "always,path" will log the PATH record anyways and add latency. > > See: https://github.com/linux-audit/audit-userspace/issues/15 > See: https://github.com/linux-audit/audit-kernel/issues/8 > Test case: https://github.com/linux-audit/audit-testsuite/issues/42 > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > --- > docs/audit_add_rule_data.3 | 3 +++ > lib/errormsg.h | 5 +++++ > lib/fieldtab.h | 2 ++ > lib/flagtab.h | 2 ++ > lib/libaudit.c | 26 ++++++++++++++++++++++++-- > lib/libaudit.h | 10 ++++++++++ > lib/private.h | 1 + > src/auditctl-listing.c | 6 ++++-- > src/auditctl.c | 14 +++++++++++++- > 9 files changed, 64 insertions(+), 5 deletions(-) > > diff --git a/docs/audit_add_rule_data.3 b/docs/audit_add_rule_data.3 > index 2321f39..4867e8c 100644 > --- a/docs/audit_add_rule_data.3 > +++ b/docs/audit_add_rule_data.3 > @@ -22,6 +22,9 @@ AUDIT_FILTER_EXIT - Apply rule at syscall exit. > .TP > \(bu > AUDIT_FILTER_TYPE - Apply rule at audit_log_start. > +.TP > +\(bu > +AUDIT_FILTER_PATH - Apply rule at __audit_inode_child. I don't think this is real clear. Maybe some others need touching up here as well. But we should say something someone with a casual knowledge of audit would understand. > .LP > > .PP > diff --git a/lib/errormsg.h b/lib/errormsg.h > index 50c7d50..2a6e4d6 100644 > --- a/lib/errormsg.h > +++ b/lib/errormsg.h > @@ -20,6 +20,7 @@ > * Authors: > * Zhang Xiliang <zhangxiliang@cn.fujitsu.com> > * Steve Grubb <sgrubb@redhat.com> > + * Richard Guy Briggs <rgb@redhat.com> > */ > > struct msg_tab { > @@ -70,6 +71,8 @@ static const struct msg_tab err_msgtab[] = { > { -32, 0, "field data is missing" }, > { -33, 2, "-C field incompatible" }, > { -34, 2, "-C value incompatible" }, > + { -35, 1, "field is not valid for the filter" }, > + { -36, 1, "filter is not supported ty kernel" }, > }; Numbers need re-aligning. -Steve > #define EAU_OPMISSING 1 > #define EAU_FIELDUNKNOWN 2 > @@ -103,4 +106,6 @@ static const struct msg_tab err_msgtab[] = { > #define EAU_DATAMISSING 32 > #define EAU_COMPFIELDINCOMPAT 33 > #define EAU_COMPVALINCOMPAT 34 > +#define EAU_FIELDUNAVAIL 35 > +#define EAU_FILTERNOSUPPORT 36 > #endif > diff --git a/lib/fieldtab.h b/lib/fieldtab.h > index 0c5e39d..c425d5b 100644 > --- a/lib/fieldtab.h > +++ b/lib/fieldtab.h > @@ -18,6 +18,7 @@ > * > * Authors: > * Steve Grubb <sgrubb@redhat.com> > + * Richard Guy Briggs <rgb@redhat.com> > */ > > _S(AUDIT_PID, "pid" ) > @@ -56,6 +57,7 @@ _S(AUDIT_WATCH, "path" ) > _S(AUDIT_PERM, "perm" ) > _S(AUDIT_DIR, "dir" ) > _S(AUDIT_FILETYPE, "filetype" ) > +_S(AUDIT_FSTYPE, "fstype" ) > _S(AUDIT_OBJ_UID, "obj_uid" ) > _S(AUDIT_OBJ_GID, "obj_gid" ) > _S(AUDIT_FIELD_COMPARE, "field_compare" ) > diff --git a/lib/flagtab.h b/lib/flagtab.h > index 4b04692..ed3e729 100644 > --- a/lib/flagtab.h > +++ b/lib/flagtab.h > @@ -18,8 +18,10 @@ > * > * Authors: > * Steve Grubb <sgrubb@redhat.com> > + * Richard Guy Briggs <rgb@redhat.com> > */ > _S(AUDIT_FILTER_TASK, "task" ) > _S(AUDIT_FILTER_EXIT, "exit" ) > _S(AUDIT_FILTER_USER, "user" ) > _S(AUDIT_FILTER_EXCLUDE, "exclude" ) > +_S(AUDIT_FILTER_PATH, "path" ) > diff --git a/lib/libaudit.c b/lib/libaudit.c > index 028483d..f28238a 100644 > --- a/lib/libaudit.c > +++ b/lib/libaudit.c > @@ -19,6 +19,7 @@ > * Authors: > * Steve Grubb <sgrubb@redhat.com> > * Rickard E. (Rik) Faith <faith@redhat.com> > + * Richard Guy Briggs <rgb@redhat.com> > */ > > #include "config.h" > @@ -86,6 +87,7 @@ int _audit_archadded = 0; > int _audit_syscalladded = 0; > int _audit_exeadded = 0; > int _audit_filterexcladded = 0; > +int _audit_filterpathadded = 0; > unsigned int _audit_elf = 0U; > static struct libaudit_conf config; > > @@ -1475,6 +1477,23 @@ int audit_rule_fieldpair_data(struct audit_rule_data > **rulep, const char *pair, } > } > > + /* PATH filter can be used only with FSTYPE field */ > + if (flags == AUDIT_FILTER_PATH) { > + uint32_t features = audit_get_features(); > + if ((features & AUDIT_FEATURE_BITMAP_FILTER_PATH) == 0) { > + return -EAU_FILTERNOSUPPORT; > + } else { > + switch(field) { > + case AUDIT_FSTYPE: > + _audit_filterpathadded = 1; > + case AUDIT_FILTERKEY: > + break; > + default: > + return -EAU_FIELDUNAVAIL; > + } > + } > + } > + > rule->fields[rule->field_count] = field; > rule->fieldflags[rule->field_count] = op; > switch (field) > @@ -1589,7 +1608,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data > **rulep, const char *pair, } > if (field == AUDIT_FILTERKEY && > !(_audit_syscalladded || _audit_permadded || > - _audit_exeadded || _audit_filterexcladded)) > + _audit_exeadded || _audit_filterexcladded || > + _audit_filterpathadded)) > return -EAU_KEYDEP; > vlen = strlen(v); > if (field == AUDIT_FILTERKEY && > @@ -1724,7 +1744,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data > **rulep, const char *pair, return -EAU_EXITONLY; > /* fallthrough */ > default: > - if (field == AUDIT_INODE) { > + if (field == AUDIT_INODE || field == AUDIT_FSTYPE) { > if (!(op == AUDIT_NOT_EQUAL || > op == AUDIT_EQUAL)) > return -EAU_OPEQNOTEQ; > @@ -1736,6 +1756,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data > **rulep, const char *pair, if (!isdigit((char)*(v))) > return -EAU_FIELDVALNUM; > > + if (field == AUDIT_FSTYPE && flags != AUDIT_FILTER_PATH) > + return -EAU_FIELDUNAVAIL; > if (field == AUDIT_INODE) > rule->values[rule->field_count] = > strtoul(v, NULL, 0); > diff --git a/lib/libaudit.h b/lib/libaudit.h > index e5c7a4d..e9c4973 100644 > --- a/lib/libaudit.h > +++ b/lib/libaudit.h > @@ -277,6 +277,9 @@ extern "C" { > #define AUDIT_KEY_SEPARATOR 0x01 > > /* These are used in filter control */ > +#ifndef AUDIT_FILTER_PATH > +#define AUDIT_FILTER_PATH 0x06 /* PATH record filter in __audit_inode_child > */ +#endif > #define AUDIT_FILTER_EXCLUDE AUDIT_FILTER_TYPE > #define AUDIT_FILTER_MASK 0x07 /* Mask to get actual filter */ > #define AUDIT_FILTER_UNSET 0x80 /* This value means filter is unset */ > @@ -305,6 +308,9 @@ extern "C" { > #ifndef AUDIT_FEATURE_BITMAP_LOST_RESET > #define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020 > #endif > +#ifndef AUDIT_FEATURE_BITMAP_FILTER_PATH > +#define AUDIT_FEATURE_BITMAP_FILTER_PATH 0x00000040 > +#endif > > /* Defines for interfield comparison update */ > #ifndef AUDIT_OBJ_UID > @@ -324,6 +330,10 @@ extern "C" { > #define AUDIT_SESSIONID 25 > #endif > > +#ifndef AUDIT_FSTYPE > +#define AUDIT_FSTYPE 26 > +#endif > + > #ifndef AUDIT_COMPARE_UID_TO_OBJ_UID > #define AUDIT_COMPARE_UID_TO_OBJ_UID 1 > #endif > diff --git a/lib/private.h b/lib/private.h > index 855187b..117d6e3 100644 > --- a/lib/private.h > +++ b/lib/private.h > @@ -140,6 +140,7 @@ extern int _audit_archadded; > extern int _audit_syscalladded; > extern int _audit_exeadded; > extern int _audit_filterexcladded; > +extern int _audit_filterpathadded; > extern unsigned int _audit_elf; > > #ifdef __cplusplus > diff --git a/src/auditctl-listing.c b/src/auditctl-listing.c > index 3bc8e71..e8640dd 100644 > --- a/src/auditctl-listing.c > +++ b/src/auditctl-listing.c > @@ -91,7 +91,8 @@ static int is_watch(const struct audit_rule_data *r) > > if (((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_USER) && > ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK) && > - ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_EXCLUDE)) { > + ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_EXCLUDE) && > + ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_PATH)) { > for (i = 0; i < (AUDIT_BITMASK_SIZE-1); i++) { > if (r->mask[i] != (uint32_t)~0) { > all = 0; > @@ -139,7 +140,8 @@ static int print_syscall(const struct audit_rule_data > *r, unsigned int *sc) /* Rules on the following filters do not take a > syscall */ > if (((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_USER) || > ((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_TASK) || > - ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE)) > + ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE) || > + ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_PATH)) > return 0; > > /* See if its all or specific syscalls */ > diff --git a/src/auditctl.c b/src/auditctl.c > index c785087..c7e8f0f 100644 > --- a/src/auditctl.c > +++ b/src/auditctl.c > @@ -19,6 +19,7 @@ > * Authors: > * Steve Grubb <sgrubb@redhat.com> > * Rickard E. (Rik) Faith <faith@redhat.com> > + * Richard Guy Briggs <rgb@redhat.com> > */ > > #include "config.h" > @@ -75,6 +76,7 @@ static int reset_vars(void) > _audit_archadded = 0; > _audit_exeadded = 0; > _audit_filterexcladded = 0; > + _audit_filterpathadded = 0; > _audit_elf = 0; > add = AUDIT_FILTER_UNSET; > del = AUDIT_FILTER_UNSET; > @@ -152,6 +154,8 @@ static int lookup_filter(const char *str, int *filter) > *filter = AUDIT_FILTER_EXIT; > else if (strcmp(str, "user") == 0) > *filter = AUDIT_FILTER_USER; > + else if (strcmp(str, "path") == 0) > + *filter = AUDIT_FILTER_PATH; > else if (strcmp(str, "exclude") == 0) { > *filter = AUDIT_FILTER_EXCLUDE; > exclude = 1; > @@ -761,6 +765,13 @@ static int setopt(int count, int lineno, char *vars[]) > audit_msg(LOG_ERR, > "Error: syscall auditing being added to user list"); > return -1; > + } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > + AUDIT_FILTER_PATH || (del & > + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > + AUDIT_FILTER_PATH)) { > + audit_msg(LOG_ERR, > + "Error: syscall auditing being added to path list"); > + return -1; > } else if (exclude) { > audit_msg(LOG_ERR, > "Error: syscall auditing cannot be put on exclude list"); > @@ -937,7 +948,8 @@ static int setopt(int count, int lineno, char *vars[]) > break; > case 'k': > if (!(_audit_syscalladded || _audit_permadded || > - _audit_exeadded || _audit_filterexcladded) || > + _audit_exeadded || _audit_filterexcladded || > + _audit_filterpathadded) || > (add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) { > audit_msg(LOG_ERR, > "key option needs a watch or syscall given prior to it"); ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] filter: add path filter with fstype 2017-06-13 0:28 ` Steve Grubb @ 2017-06-13 2:45 ` Richard Guy Briggs 2017-06-13 14:49 ` Paul Moore 2017-06-13 21:25 ` Steve Grubb 0 siblings, 2 replies; 6+ messages in thread From: Richard Guy Briggs @ 2017-06-13 2:45 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit On 2017-06-12 20:28, Steve Grubb wrote: > Hello, Hi (swapping in this task after > 2 months...) > This patch needs to be refactored to match the current count of error messages > in err_msgtab. > > What error message is emitted when run on a kernel that does not support the > new filter? -36 (which needs re-checking now that ghau12/ghau21pr has been reworked.) > On Tuesday, April 4, 2017 6:40:18 AM EDT Richard Guy Briggs wrote: > > Tracefs or debugfs were causing hundreds to thousands of PATH records to > > be associated with the init_module and finit_module SYSCALL records on a > > few modules when the following rule was in place for startup: > > -a always,exit -F arch=x86_64 -S init_module -F key=mod-load > > > > Add the new "path" filter list anchored in __audit_inode_child() to > > filter out PATH records from uninteresting filesystem types, "fstype", > > keying on their kernel hexadecimal 4-octet magic identifier. > > > > An example rule would look like: > > -a never,path -F fstype=0x74726163 -F key=ignore_tracefs > > -a never,path -F fstype=0x64626720 -F key=ignore_debugfs > > Are we sure path is the best name for this filter? Is there something more > precise like filesystem? It is filesystem type that we are filtering, but there may be a use case to filter on another factor later, so like the "type" filter that really is the "exclude" filter, let's not make that mistake again. I wrestled with that for a while and kept coming back to "path" filter due to the fact that it was a path record that was affected. At the moment it is only active on audit_inode_child, but I could potentially see it being active on audit_inode as well. > > Note: "always,path" will log the PATH record anyways and add latency. > > > > See: https://github.com/linux-audit/audit-userspace/issues/15 > > See: https://github.com/linux-audit/audit-kernel/issues/8 > > Test case: https://github.com/linux-audit/audit-testsuite/issues/42 > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > --- > > docs/audit_add_rule_data.3 | 3 +++ > > lib/errormsg.h | 5 +++++ > > lib/fieldtab.h | 2 ++ > > lib/flagtab.h | 2 ++ > > lib/libaudit.c | 26 ++++++++++++++++++++++++-- > > lib/libaudit.h | 10 ++++++++++ > > lib/private.h | 1 + > > src/auditctl-listing.c | 6 ++++-- > > src/auditctl.c | 14 +++++++++++++- > > 9 files changed, 64 insertions(+), 5 deletions(-) > > > > diff --git a/docs/audit_add_rule_data.3 b/docs/audit_add_rule_data.3 > > index 2321f39..4867e8c 100644 > > --- a/docs/audit_add_rule_data.3 > > +++ b/docs/audit_add_rule_data.3 > > @@ -22,6 +22,9 @@ AUDIT_FILTER_EXIT - Apply rule at syscall exit. > > .TP > > \(bu > > AUDIT_FILTER_TYPE - Apply rule at audit_log_start. > > +.TP > > +\(bu > > +AUDIT_FILTER_PATH - Apply rule at __audit_inode_child. > > I don't think this is real clear. Maybe some others need touching up here as > well. But we should say something someone with a casual knowledge of audit > would understand. Agreed. How about "Apply rule when adding PATH auxiliary records to SYSCALL events." > > > .LP > > > > .PP > > diff --git a/lib/errormsg.h b/lib/errormsg.h > > index 50c7d50..2a6e4d6 100644 > > --- a/lib/errormsg.h > > +++ b/lib/errormsg.h > > @@ -20,6 +20,7 @@ > > * Authors: > > * Zhang Xiliang <zhangxiliang@cn.fujitsu.com> > > * Steve Grubb <sgrubb@redhat.com> > > + * Richard Guy Briggs <rgb@redhat.com> > > */ > > > > struct msg_tab { > > @@ -70,6 +71,8 @@ static const struct msg_tab err_msgtab[] = { > > { -32, 0, "field data is missing" }, > > { -33, 2, "-C field incompatible" }, > > { -34, 2, "-C value incompatible" }, > > + { -35, 1, "field is not valid for the filter" }, > > + { -36, 1, "filter is not supported ty kernel" }, > > }; > > Numbers need re-aligning. Probably... > -Steve > > > #define EAU_OPMISSING 1 > > #define EAU_FIELDUNKNOWN 2 > > @@ -103,4 +106,6 @@ static const struct msg_tab err_msgtab[] = { > > #define EAU_DATAMISSING 32 > > #define EAU_COMPFIELDINCOMPAT 33 > > #define EAU_COMPVALINCOMPAT 34 > > +#define EAU_FIELDUNAVAIL 35 > > +#define EAU_FILTERNOSUPPORT 36 > > #endif > > diff --git a/lib/fieldtab.h b/lib/fieldtab.h > > index 0c5e39d..c425d5b 100644 > > --- a/lib/fieldtab.h > > +++ b/lib/fieldtab.h > > @@ -18,6 +18,7 @@ > > * > > * Authors: > > * Steve Grubb <sgrubb@redhat.com> > > + * Richard Guy Briggs <rgb@redhat.com> > > */ > > > > _S(AUDIT_PID, "pid" ) > > @@ -56,6 +57,7 @@ _S(AUDIT_WATCH, "path" ) > > _S(AUDIT_PERM, "perm" ) > > _S(AUDIT_DIR, "dir" ) > > _S(AUDIT_FILETYPE, "filetype" ) > > +_S(AUDIT_FSTYPE, "fstype" ) > > _S(AUDIT_OBJ_UID, "obj_uid" ) > > _S(AUDIT_OBJ_GID, "obj_gid" ) > > _S(AUDIT_FIELD_COMPARE, "field_compare" ) > > diff --git a/lib/flagtab.h b/lib/flagtab.h > > index 4b04692..ed3e729 100644 > > --- a/lib/flagtab.h > > +++ b/lib/flagtab.h > > @@ -18,8 +18,10 @@ > > * > > * Authors: > > * Steve Grubb <sgrubb@redhat.com> > > + * Richard Guy Briggs <rgb@redhat.com> > > */ > > _S(AUDIT_FILTER_TASK, "task" ) > > _S(AUDIT_FILTER_EXIT, "exit" ) > > _S(AUDIT_FILTER_USER, "user" ) > > _S(AUDIT_FILTER_EXCLUDE, "exclude" ) > > +_S(AUDIT_FILTER_PATH, "path" ) > > diff --git a/lib/libaudit.c b/lib/libaudit.c > > index 028483d..f28238a 100644 > > --- a/lib/libaudit.c > > +++ b/lib/libaudit.c > > @@ -19,6 +19,7 @@ > > * Authors: > > * Steve Grubb <sgrubb@redhat.com> > > * Rickard E. (Rik) Faith <faith@redhat.com> > > + * Richard Guy Briggs <rgb@redhat.com> > > */ > > > > #include "config.h" > > @@ -86,6 +87,7 @@ int _audit_archadded = 0; > > int _audit_syscalladded = 0; > > int _audit_exeadded = 0; > > int _audit_filterexcladded = 0; > > +int _audit_filterpathadded = 0; > > unsigned int _audit_elf = 0U; > > static struct libaudit_conf config; > > > > @@ -1475,6 +1477,23 @@ int audit_rule_fieldpair_data(struct audit_rule_data > > **rulep, const char *pair, } > > } > > > > + /* PATH filter can be used only with FSTYPE field */ > > + if (flags == AUDIT_FILTER_PATH) { > > + uint32_t features = audit_get_features(); > > + if ((features & AUDIT_FEATURE_BITMAP_FILTER_PATH) == 0) { > > + return -EAU_FILTERNOSUPPORT; > > + } else { > > + switch(field) { > > + case AUDIT_FSTYPE: > > + _audit_filterpathadded = 1; > > + case AUDIT_FILTERKEY: > > + break; > > + default: > > + return -EAU_FIELDUNAVAIL; > > + } > > + } > > + } > > + > > rule->fields[rule->field_count] = field; > > rule->fieldflags[rule->field_count] = op; > > switch (field) > > @@ -1589,7 +1608,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data > > **rulep, const char *pair, } > > if (field == AUDIT_FILTERKEY && > > !(_audit_syscalladded || _audit_permadded || > > - _audit_exeadded || _audit_filterexcladded)) > > + _audit_exeadded || _audit_filterexcladded || > > + _audit_filterpathadded)) > > return -EAU_KEYDEP; > > vlen = strlen(v); > > if (field == AUDIT_FILTERKEY && > > @@ -1724,7 +1744,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data > > **rulep, const char *pair, return -EAU_EXITONLY; > > /* fallthrough */ > > default: > > - if (field == AUDIT_INODE) { > > + if (field == AUDIT_INODE || field == AUDIT_FSTYPE) { > > if (!(op == AUDIT_NOT_EQUAL || > > op == AUDIT_EQUAL)) > > return -EAU_OPEQNOTEQ; > > @@ -1736,6 +1756,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data > > **rulep, const char *pair, if (!isdigit((char)*(v))) > > return -EAU_FIELDVALNUM; > > > > + if (field == AUDIT_FSTYPE && flags != AUDIT_FILTER_PATH) > > + return -EAU_FIELDUNAVAIL; > > if (field == AUDIT_INODE) > > rule->values[rule->field_count] = > > strtoul(v, NULL, 0); > > diff --git a/lib/libaudit.h b/lib/libaudit.h > > index e5c7a4d..e9c4973 100644 > > --- a/lib/libaudit.h > > +++ b/lib/libaudit.h > > @@ -277,6 +277,9 @@ extern "C" { > > #define AUDIT_KEY_SEPARATOR 0x01 > > > > /* These are used in filter control */ > > +#ifndef AUDIT_FILTER_PATH > > +#define AUDIT_FILTER_PATH 0x06 /* PATH record filter in > __audit_inode_child > > */ +#endif > > #define AUDIT_FILTER_EXCLUDE AUDIT_FILTER_TYPE > > #define AUDIT_FILTER_MASK 0x07 /* Mask to get actual filter */ > > #define AUDIT_FILTER_UNSET 0x80 /* This value means filter is unset */ > > @@ -305,6 +308,9 @@ extern "C" { > > #ifndef AUDIT_FEATURE_BITMAP_LOST_RESET > > #define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020 > > #endif > > +#ifndef AUDIT_FEATURE_BITMAP_FILTER_PATH > > +#define AUDIT_FEATURE_BITMAP_FILTER_PATH 0x00000040 > > +#endif > > > > /* Defines for interfield comparison update */ > > #ifndef AUDIT_OBJ_UID > > @@ -324,6 +330,10 @@ extern "C" { > > #define AUDIT_SESSIONID 25 > > #endif > > > > +#ifndef AUDIT_FSTYPE > > +#define AUDIT_FSTYPE 26 > > +#endif > > + > > #ifndef AUDIT_COMPARE_UID_TO_OBJ_UID > > #define AUDIT_COMPARE_UID_TO_OBJ_UID 1 > > #endif > > diff --git a/lib/private.h b/lib/private.h > > index 855187b..117d6e3 100644 > > --- a/lib/private.h > > +++ b/lib/private.h > > @@ -140,6 +140,7 @@ extern int _audit_archadded; > > extern int _audit_syscalladded; > > extern int _audit_exeadded; > > extern int _audit_filterexcladded; > > +extern int _audit_filterpathadded; > > extern unsigned int _audit_elf; > > > > #ifdef __cplusplus > > diff --git a/src/auditctl-listing.c b/src/auditctl-listing.c > > index 3bc8e71..e8640dd 100644 > > --- a/src/auditctl-listing.c > > +++ b/src/auditctl-listing.c > > @@ -91,7 +91,8 @@ static int is_watch(const struct audit_rule_data *r) > > > > if (((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_USER) && > > ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK) && > > - ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_EXCLUDE)) { > > + ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_EXCLUDE) && > > + ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_PATH)) { > > for (i = 0; i < (AUDIT_BITMASK_SIZE-1); i++) { > > if (r->mask[i] != (uint32_t)~0) { > > all = 0; > > @@ -139,7 +140,8 @@ static int print_syscall(const struct audit_rule_data > > *r, unsigned int *sc) /* Rules on the following filters do not take a > > syscall */ > > if (((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_USER) || > > ((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_TASK) || > > - ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE)) > > + ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE) || > > + ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_PATH)) > > return 0; > > > > /* See if its all or specific syscalls */ > > diff --git a/src/auditctl.c b/src/auditctl.c > > index c785087..c7e8f0f 100644 > > --- a/src/auditctl.c > > +++ b/src/auditctl.c > > @@ -19,6 +19,7 @@ > > * Authors: > > * Steve Grubb <sgrubb@redhat.com> > > * Rickard E. (Rik) Faith <faith@redhat.com> > > + * Richard Guy Briggs <rgb@redhat.com> > > */ > > > > #include "config.h" > > @@ -75,6 +76,7 @@ static int reset_vars(void) > > _audit_archadded = 0; > > _audit_exeadded = 0; > > _audit_filterexcladded = 0; > > + _audit_filterpathadded = 0; > > _audit_elf = 0; > > add = AUDIT_FILTER_UNSET; > > del = AUDIT_FILTER_UNSET; > > @@ -152,6 +154,8 @@ static int lookup_filter(const char *str, int *filter) > > *filter = AUDIT_FILTER_EXIT; > > else if (strcmp(str, "user") == 0) > > *filter = AUDIT_FILTER_USER; > > + else if (strcmp(str, "path") == 0) > > + *filter = AUDIT_FILTER_PATH; > > else if (strcmp(str, "exclude") == 0) { > > *filter = AUDIT_FILTER_EXCLUDE; > > exclude = 1; > > @@ -761,6 +765,13 @@ static int setopt(int count, int lineno, char *vars[]) > > audit_msg(LOG_ERR, > > "Error: syscall auditing being added to user list"); > > return -1; > > + } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > > + AUDIT_FILTER_PATH || (del & > > + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > > + AUDIT_FILTER_PATH)) { > > + audit_msg(LOG_ERR, > > + "Error: syscall auditing being added to path list"); > > + return -1; > > } else if (exclude) { > > audit_msg(LOG_ERR, > > "Error: syscall auditing cannot be put on exclude list"); > > @@ -937,7 +948,8 @@ static int setopt(int count, int lineno, char *vars[]) > > break; > > case 'k': > > if (!(_audit_syscalladded || _audit_permadded || > > - _audit_exeadded || _audit_filterexcladded) || > > + _audit_exeadded || _audit_filterexcladded || > > + _audit_filterpathadded) || > > (add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) { > > audit_msg(LOG_ERR, > > "key option needs a watch or syscall given prior to it"); > > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] filter: add path filter with fstype 2017-06-13 2:45 ` Richard Guy Briggs @ 2017-06-13 14:49 ` Paul Moore 2017-06-13 21:25 ` Steve Grubb 1 sibling, 0 replies; 6+ messages in thread From: Paul Moore @ 2017-06-13 14:49 UTC (permalink / raw) To: Richard Guy Briggs, Steve Grubb; +Cc: linux-audit On Mon, Jun 12, 2017 at 10:45 PM, Richard Guy Briggs <rgb@redhat.com> wrote: > On 2017-06-12 20:28, Steve Grubb wrote: >> Hello, > > Hi (swapping in this task after > 2 months...) > >> This patch needs to be refactored to match the current count of error messages >> in err_msgtab. >> >> What error message is emitted when run on a kernel that does not support the >> new filter? > > -36 (which needs re-checking now that ghau12/ghau21pr has been reworked.) > >> On Tuesday, April 4, 2017 6:40:18 AM EDT Richard Guy Briggs wrote: >> > Tracefs or debugfs were causing hundreds to thousands of PATH records to >> > be associated with the init_module and finit_module SYSCALL records on a >> > few modules when the following rule was in place for startup: >> > -a always,exit -F arch=x86_64 -S init_module -F key=mod-load >> > >> > Add the new "path" filter list anchored in __audit_inode_child() to >> > filter out PATH records from uninteresting filesystem types, "fstype", >> > keying on their kernel hexadecimal 4-octet magic identifier. >> > >> > An example rule would look like: >> > -a never,path -F fstype=0x74726163 -F key=ignore_tracefs >> > -a never,path -F fstype=0x64626720 -F key=ignore_debugfs >> >> Are we sure path is the best name for this filter? Is there something more >> precise like filesystem? > > It is filesystem type that we are filtering, but there may be a use case > to filter on another factor later, so like the "type" filter that really > is the "exclude" filter, let's not make that mistake again. > > I wrestled with that for a while and kept coming back to "path" filter > due to the fact that it was a path record that was affected. At the > moment it is only active on audit_inode_child, but I could potentially > see it being active on audit_inode as well. FWIW, I too struggled a bit with that name when looking at the kernel code. I'm not a fan of "path" in this case, but I can't think of anything substantially better. -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] filter: add path filter with fstype 2017-06-13 2:45 ` Richard Guy Briggs 2017-06-13 14:49 ` Paul Moore @ 2017-06-13 21:25 ` Steve Grubb 2017-06-15 3:15 ` Richard Guy Briggs 1 sibling, 1 reply; 6+ messages in thread From: Steve Grubb @ 2017-06-13 21:25 UTC (permalink / raw) To: Richard Guy Briggs; +Cc: linux-audit Hello, On Monday, June 12, 2017 10:45:50 PM EDT Richard Guy Briggs wrote: > On 2017-06-12 20:28, Steve Grubb wrote: > > This patch needs to be refactored to match the current count of error > > messages in err_msgtab. > > > > What error message is emitted when run on a kernel that does not support > > the new filter? > > -36 (which needs re-checking now that ghau12/ghau21pr has been reworked.) And now that the other error message macros have been applied... > > On Tuesday, April 4, 2017 6:40:18 AM EDT Richard Guy Briggs wrote: > > > Tracefs or debugfs were causing hundreds to thousands of PATH records to > > > be associated with the init_module and finit_module SYSCALL records on a > > > > > > few modules when the following rule was in place for startup: > > > -a always,exit -F arch=x86_64 -S init_module -F key=mod-load > > > > > > Add the new "path" filter list anchored in __audit_inode_child() to > > > filter out PATH records from uninteresting filesystem types, "fstype", > > > keying on their kernel hexadecimal 4-octet magic identifier. > > > > > > An example rule would look like: > > > -a never,path -F fstype=0x74726163 -F key=ignore_tracefs > > > -a never,path -F fstype=0x64626720 -F key=ignore_debugfs > > > > Are we sure path is the best name for this filter? Is there something more > > precise like filesystem? > > It is filesystem type that we are filtering, but there may be a use case > to filter on another factor later, so like the "type" filter that really > is the "exclude" filter, let's not make that mistake again. What else could this filter have its hands on? Could it audit mounting/ unmounting of certain file systems? > I wrestled with that for a while and kept coming back to "path" filter > due to the fact that it was a path record that was affected. I don't like having path as a filter and path as a field option. Path is getting too overloaded. > At the moment it is only active on audit_inode_child, but I could > potentially see it being active on audit_inode as well. I'd lean towards filesystem for the filter name. -Steve > > > Note: "always,path" will log the PATH record anyways and add latency. > > > > > > See: https://github.com/linux-audit/audit-userspace/issues/15 > > > See: https://github.com/linux-audit/audit-kernel/issues/8 > > > Test case: https://github.com/linux-audit/audit-testsuite/issues/42 > > > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > > --- > > > > > > docs/audit_add_rule_data.3 | 3 +++ > > > lib/errormsg.h | 5 +++++ > > > lib/fieldtab.h | 2 ++ > > > lib/flagtab.h | 2 ++ > > > lib/libaudit.c | 26 ++++++++++++++++++++++++-- > > > lib/libaudit.h | 10 ++++++++++ > > > lib/private.h | 1 + > > > src/auditctl-listing.c | 6 ++++-- > > > src/auditctl.c | 14 +++++++++++++- > > > 9 files changed, 64 insertions(+), 5 deletions(-) > > > > > > diff --git a/docs/audit_add_rule_data.3 b/docs/audit_add_rule_data.3 > > > index 2321f39..4867e8c 100644 > > > --- a/docs/audit_add_rule_data.3 > > > +++ b/docs/audit_add_rule_data.3 > > > @@ -22,6 +22,9 @@ AUDIT_FILTER_EXIT - Apply rule at syscall exit. > > > > > > .TP > > > \(bu > > > AUDIT_FILTER_TYPE - Apply rule at audit_log_start. > > > > > > +.TP > > > +\(bu > > > +AUDIT_FILTER_PATH - Apply rule at __audit_inode_child. > > > > I don't think this is real clear. Maybe some others need touching up here > > as well. But we should say something someone with a casual knowledge of > > audit would understand. > > Agreed. How about "Apply rule when adding PATH auxiliary records to SYSCALL > events." I updated this man page. It needs to say when its applicable, whether events are normally accepted or blocked with no rule applied, and what the typical use case is. -Steve ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] filter: add path filter with fstype 2017-06-13 21:25 ` Steve Grubb @ 2017-06-15 3:15 ` Richard Guy Briggs 0 siblings, 0 replies; 6+ messages in thread From: Richard Guy Briggs @ 2017-06-15 3:15 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit On 2017-06-13 17:25, Steve Grubb wrote: > Hello, > > On Monday, June 12, 2017 10:45:50 PM EDT Richard Guy Briggs wrote: > > On 2017-06-12 20:28, Steve Grubb wrote: > > > This patch needs to be refactored to match the current count of error > > > messages in err_msgtab. > > > > > > What error message is emitted when run on a kernel that does not support > > > the new filter? > > > > -36 (which needs re-checking now that ghau12/ghau21pr has been reworked.) > > And now that the other error message macros have been applied... Re-spinning... > > > On Tuesday, April 4, 2017 6:40:18 AM EDT Richard Guy Briggs wrote: > > > > Tracefs or debugfs were causing hundreds to thousands of PATH records to > > > > be associated with the init_module and finit_module SYSCALL records on a > > > > > > > > few modules when the following rule was in place for startup: > > > > -a always,exit -F arch=x86_64 -S init_module -F key=mod-load > > > > > > > > Add the new "path" filter list anchored in __audit_inode_child() to > > > > filter out PATH records from uninteresting filesystem types, "fstype", > > > > keying on their kernel hexadecimal 4-octet magic identifier. > > > > > > > > An example rule would look like: > > > > -a never,path -F fstype=0x74726163 -F key=ignore_tracefs > > > > -a never,path -F fstype=0x64626720 -F key=ignore_debugfs > > > > > > Are we sure path is the best name for this filter? Is there something more > > > precise like filesystem? > > > > It is filesystem type that we are filtering, but there may be a use case > > to filter on another factor later, so like the "type" filter that really > > is the "exclude" filter, let's not make that mistake again. > > What else could this filter have its hands on? Could it audit mounting/ > unmounting of certain file systems? I wasn't thinking so much of the filter point, but other filter fields (like auid=-1? or a mount sub-tree? or ...?). > > I wrestled with that for a while and kept coming back to "path" filter > > due to the fact that it was a path record that was affected. > > I don't like having path as a filter and path as a field option. Path is > getting too overloaded. Granted. > > At the moment it is only active on audit_inode_child, but I could > > potentially see it being active on audit_inode as well. > > I'd lean towards filesystem for the filter name. I think I'm alright with that name. I'll re-spin the patch and see if anything jumps out at me in the process. Another place this might be used is for the CWD record. > -Steve > > > > > Note: "always,path" will log the PATH record anyways and add latency. > > > > > > > > See: https://github.com/linux-audit/audit-userspace/issues/15 > > > > See: https://github.com/linux-audit/audit-kernel/issues/8 > > > > Test case: https://github.com/linux-audit/audit-testsuite/issues/42 > > > > > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > > > --- > > > > > > > > docs/audit_add_rule_data.3 | 3 +++ > > > > lib/errormsg.h | 5 +++++ > > > > lib/fieldtab.h | 2 ++ > > > > lib/flagtab.h | 2 ++ > > > > lib/libaudit.c | 26 ++++++++++++++++++++++++-- > > > > lib/libaudit.h | 10 ++++++++++ > > > > lib/private.h | 1 + > > > > src/auditctl-listing.c | 6 ++++-- > > > > src/auditctl.c | 14 +++++++++++++- > > > > 9 files changed, 64 insertions(+), 5 deletions(-) > > > > > > > > diff --git a/docs/audit_add_rule_data.3 b/docs/audit_add_rule_data.3 > > > > index 2321f39..4867e8c 100644 > > > > --- a/docs/audit_add_rule_data.3 > > > > +++ b/docs/audit_add_rule_data.3 > > > > @@ -22,6 +22,9 @@ AUDIT_FILTER_EXIT - Apply rule at syscall exit. > > > > > > > > .TP > > > > \(bu > > > > AUDIT_FILTER_TYPE - Apply rule at audit_log_start. > > > > > > > > +.TP > > > > +\(bu > > > > +AUDIT_FILTER_PATH - Apply rule at __audit_inode_child. > > > > > > I don't think this is real clear. Maybe some others need touching up here > > > as well. But we should say something someone with a casual knowledge of > > > audit would understand. > > > > Agreed. How about "Apply rule when adding PATH auxiliary records to SYSCALL > > events." > > I updated this man page. It needs to say when its applicable, whether events > are normally accepted or blocked with no rule applied, and what the typical > use case is. Ok, I see the other examples. > -Steve - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-06-15 3:15 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-04-04 10:40 [PATCH] filter: add path filter with fstype Richard Guy Briggs 2017-06-13 0:28 ` Steve Grubb 2017-06-13 2:45 ` Richard Guy Briggs 2017-06-13 14:49 ` Paul Moore 2017-06-13 21:25 ` Steve Grubb 2017-06-15 3:15 ` Richard Guy Briggs
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox